Dangerous New Worm Wriggles Through Jailbroken iPhones

The worms infecting jailbroken iPhones have evolved quickly. Earlier this month, the so-called Ikee worm merely bombarded its victims with images of an '80s pop singer. The latest worm, dubbed "Duh," wrangles iPhones into a malicious botnet. So far, the only iPhones that worms have managed to invade are jailbroken units that have been hacked by users to support software Apple hasn't approved.

For the third time in a matter of weeks, jailbroken iPhones and iPod touches have come under attack, this time by a worm that could set up botnets and steal banking information.

Security researchers, already on alert as a result of the two previous attacks on jailbroken iPhones, jumped on the worm right away.

"This is one of the first, if not the first, mobile botnets ever," Mikko Hypponen, chief research officer at F-Secure, told MacNewsWorld. "It clearly shows that the more criminal elements are entering the mobile space and targeting mobile phones."

More attacks targeting jailbroken iPhones and iPod touches may surface soon. "The problem of poorly secured jailbroken iPhones is so well-known now that it would be a surprise if we didn't see any more malware targeting the platform," said Graham Cluley, senior technology consultant at Sophos.

While some attacks could be launched with criminal intent -- like the latest worm, dubbed the "Duh" worm by Sophos researcher Paul Ducklin -- others might be created by hobbyist hackers and "script kiddies" -- novices who want to play with code for less nefarious purposes, Cluley told MacNewsWorld.

There's no way to prevent these attacks because Apple won't work with antivirus vendors, F-Secure's Hypponen said. "We can't build an antivirus product for the iPhone without Apple's help and, so far, Apple hasn't seen security as a problem because there are no Apple viruses," he explained.

"Even this worm is not seen as a problem because it only affects jailbroken iPhones."

More About 'Duh'

The "Duh" worm used a command and control center just like a traditional botnet running on PCs, according to a blog post by Chester Wisniewski, senior security adviser at Sophos.

A botnet is a collection of computers that have been taken over by malicious software and formed into a network to distribute malware or spam. Such botnets are managed by a command-and-control server or servers which lay down rules and send out instructions to the bots.

The "Duh" worm configured two startup scripts -- one to execute it on boot-up and the other to create a connection to a Lithuanian server to upload stolen data and cede control to the bot master. The worm attacked ISPs in the Netherlands, other European countries and Australia. It spread more quickly on a WiFi connection than a typical 3G connection.

The worm targeted the ING Bank in the Netherlands, Peter James, global spokesperson at Intego, told MacNewsWorld. However, it could have easily spread to other countries, he pointed out.

A 'Duh' Moment

The worm called the component which reported back to its command and control center "Duh," leading Sophos researcher Paul Ducklin to call the worm by that name on his blog.

Unlike Ikee, the worm which made news recently by distributing a prank pop-up screen, the "Duh" worm changes the root password but leaves SSH running, Ducklin said. It changes the password by rewriting its hashed value in "/etc/masterpasswd," not by running the "passwd" command with the new password in plain text, so users won't know what it is.

Using the John the Ripper password cracker from the Openwall Project, Ducklin found out the "Duh" worm changed the iPhone's default password, which is "alpine," to "ohshit."

How could anyone sophisticated enough to hack an iPhone neglect to change the device's default password? "My guess is that users are excited about finally running their jailbroken iPhone and don't perceive that the dangers of leaving the password unchanged are significant," Sophos' Cluley said.

Jailbroken iPhones are now going to pose a serious security threat to the enterprise, Sophos' Wisniewski warned. "It does not appear that iPhones are able to report back any sort of status information, so there is no way to securely use them in an enterprise environment," he said. "If an infected phone is also connected to your MS Exchange, WiFi, or VPN environment, all of your confidential data could be at risk." IT administrators should conduct a physical spot check for jailbroken iPhones, Wisniewski recommended.

Security and the iPhone

The "Duh" worm is the most sophisticated iPhone malware to surface so far, Mac antivirus vendor Intego said. It is capable of downloading data, including executables and new files, that it uses to run and carry out its actions.

"The nasty thing about iPhone attacks is that there's nothing you can do," F-Secure's Hypponen pointed out. "There's no antivirus product available for the iPhone because Apple won't let antivirus vendors create one."

Apple spokesperson Natalie Harrison declined comment on this issue. Cupertino has little sympathy for jailbroken iPhone owners. "The worm affects only a very specific set of iPhone users who have jailbroken their iPhones and hacked it with unauthorized software," Harrison told MacNewsWorld.

"As we've said before, the vast majority of customers do not jailbreak their iPhones, and for good reason," she added. "These hacks not only violate the warranty, they will also cause the iPhone to become unstable and not work reliably."